 |
|
 |
|
This file was contributed to by Edgardo Gonzalez of PRSL
| Introduction - SharePoint
System Development Policy |
End users may require the integration of external applications with SharePoint
Services in order to access vital information to support their informational
and collaboration activities. The integrity of the information as well as
security and reliability must be assured via the strict application of methods
and best practices to enable interfaces to SharePoint services. |
| Purpose |
The purpose of the SharePoint System Development Policy is to describe the
requirements for developing and/or implementing new software in the [SharePoint
Portal Owning Organization] SharePoint environment. |
| Audience |
The [SharePoint Portal Owning Organization] SharePoint System Development
Policy applies equally to all individuals that use any [SharePoint Portal Owning
Organization] SharePoint resource. |
| SharePoint System
Development Policy |
- [SharePoint Portal Owning Organization] is responsible for developing,
maintaining, and participating in a System Development Life Cycle (SDLC) for
[SharePoint Portal Owning Organization] SharePoint development projects. All
SharePoint software developed in-house which runs on production servers must
be developed according to the SDLC. At a minimum, this plan should address
the areas of preliminary analysis or feasibility study; risk identification
and mitigation; systems analysis; general design; detail design;
development; quality assurance and acceptance testing; implementation; and
post-implementation maintenance and review. This methodology ensures that
the software will be adequately documented and tested before it is used for
critical [SharePoint Portal Owning Organization] information.
- All production SharePoint servers must have designated owners and server
custodians for the critical information they process. [SharePoint Portal
Owning Organization] SharePoint administrators must perform periodic risk
assessments of production SharePoint servers to determine whether the
controls employed are adequate.
- All production SharePoint servers must have an access control system to
restrict who can access the system as well as restrict the privileges
available to these users. A designated SharePoint administrator (who is not
a regular user on the system in question) must be assigned for all
production SharePoint servers.
- Where resources permit, there should be a separation between the
production, development, and test SharePoint environments. This will ensure
that security is rigorously maintained for the production SharePoint
servers, while the development and test environments can maximize
productivity with fewer security restrictions. Where these distinctions have
been established, development and test staff must not be permitted to have
access to production systems. Likewise, all production software testing must
utilize sanitized information.
- All application-program-based access paths other than the formal user
access paths must be deleted or disabled before software is moved into
production.
|
| SharePoint System
Development Policy Supporting Information |
- All SharePoint software programs, SharePoint applications, Web Part /
Application source code, Web Part / Application object code, documentation
and general operational data shall be guarded and protected as if it were [SharePoint
Portal Owning Organization] property.
- SharePoint users must engage [SharePoint Portal Owning Organization]
management, or designate, at the onset of any project to acquire SharePoint
hardware or to purchase or develop SharePoint software. The costs of
acquisitions, development and operation of computer hardware and
applications must be authorized by appropriate management. Management and
the requesting department must act within their delegated approval limits in
accordance with the agency authorization policy. A list of standard software
and hardware that may be obtained without specific, individual approval will
be published.
- The department which requests and authorizes a SharePoint application
(the site / application owner) must take the appropriate steps to ensure the
integrity and security of all SharePoint Web Parts and application logic, as
well as data files created by, or acquired for, SharePoint applications. To
ensure a proper segregation of duties, owner responsibilities cannot be
delegated to the SharePoint server custodian.
- The
integrity of [SharePoint Portal Owning Organization] SharePoint software,
utilities, operating systems, networks, and respective data files are the
responsibility of the server custodian department. Data for test and
research purposes must be de-personalized prior to release to testers unless
each individual involved in the testing has authorized access to the
SharePoint data.
- All [SharePoint Portal Owning Organization] departments must carefully
assess the risk of unauthorized alteration, unauthorized disclosure, or loss
of the data within the [SharePoint Portal Owning Organization] SharePoint
environment for which they are responsible and ensure, through the use of
monitoring mechanisms such that [SharePoint Portal Owning Organization] is
protected from damage, monetary or otherwise. SharePoint owners and server
custodian departments must have appropriate backup and contingency plans for
disaster recovery based on risk assessment and business requirements.
|
| Disciplinary Actions |
Violation of this policy may result in disciplinary action which may
include termination for employees and temporaries; a termination of
employment relations in the case of contractors or consultants;
dismissal for interns and volunteers; or suspension or expulsion in the
case of a student. Additionally, individuals are subject to loss of [SharePoint
Portal Owning Organization] SharePoint access privileges, civil, and
criminal prosecution. |
| Compliance / Regulation
Contributed to by this Policy |
- Copyright Act of 1976
- Foreign Corrupt Practices Act of 1977
- Computer Fraud and Abuse Act of 1986
- Computer Security Act of 1987
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
|
|
|
|
Any Templates Provided On This Site Are Provided Without Warranty Or Implication. To Brand The Template(s) Replace The [SharePoint Portal Server Owning Organization] With Your Company Name
|
|
|
| |
|
 |
Site 
Home 
About ARB
Blog 
SharePoint Dev Center 
Security Labs 
Contact
